Re: Linux Firewall Suggestion

From: Mike (honey_at_michaelmoyse.co.uk)
Date: 05/04/05

  • Next message: J.O. Aho: "Re: Network"
    Date: Wed, 04 May 2005 13:00:35 +0100
    
    

    Jack Masters wrote:
    > Mike wrote:
    >
    >> KP wrote:
    >>
    >>> I work for a company that has no firewall. We are 20 person company
    >>> whose connection to the Internet is via Cisco 1610 router - T1.
    >>>
    >>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    >>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
    >>> It does a one to map mapping.
    >>>
    >>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    >>> 100.100.100.100 to private 192.168.1.10);
    >>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443)
    >>> - (public ip 100.100.100.101 to private 192.168.1.11);
    >>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    >>> 100.100.100.102 to private 192.168.1.12);
    >>>
    >>> My GOALis to get a Linux firewall that is SIMPLE to use to place
    >>> between the internal network and our Internet router. Also, it has
    >>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
    >>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
    >>> locked down due to firewall features. Because multiple servers have
    >>> port 80 and 443, I can't just do port forwarding. It must be
    >>> intelligent enough to see the URL/URI to forward to the right box.
    >>>
    >>> Hope this made sense.
    >>>
    >>> What would you guys suggest in terms in the Linux distro with this
    >>> capability, and how I should set it up?
    >>>
    >>> Thank you!
    >>>
    >>
    >> If you are not sure what you are doing, don't play with your company
    >> network. This is not the place to start learning about Linux
    >> firewalls. Invest your money in a hardware solution such as a
    >> Watchguard Firebox. You will find it easier to implement as it has a
    >> Windows front end and you will get all the benefits of a
    >> Linux/Iptables box as that is what it uses. You will also get first
    >> rate support (They can even configure the box remotely for you) and
    >> upgrades.
    >>
    >> I'm not affiliated to Watchguard in any way. I just use their boxes
    >> and also build Linux firewalls using IPCOP and Smoothwall or just
    >> plain old IPtables.
    >>
    >> Mike
    >
    >
    > Any firewall, even a badly configured one, would be better than leaving
    > the network wide open. Playing with the firewall on a live network may
    > open one up to (physical) abuse from users that see their lunchtime
    > surfing/IM interrupted, but starting off with one of the many example
    > scripts available would be difficult to create a FW that opens the
    > network up further than it already is.
    >
    > J
    >

    Would you learn to wire a house by doing it with the power on?

    Would you learn to service a car by playing with your fathers brand new
    Porche?

    Bottom line, you do not learn by playing with live systems. Only a fool
    would do that.


  • Next message: J.O. Aho: "Re: Network"

    Relevant Pages

    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
      (Firewall-Wizards)
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
      (Firewall-Wizards)
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
      (Security-Basics)
    • Re: Linux Firewall Suggestion
      ... > Mike wrote: ... >> and also build Linux firewalls using IPCOP and Smoothwall or just ... > the network wide open. ... Would you learn to service a car by playing with your fathers brand new ...
      (comp.os.linux)
    • Re: Linux Firewall Suggestion
      ... > Mike wrote: ... >> and also build Linux firewalls using IPCOP and Smoothwall or just ... > the network wide open. ... Would you learn to service a car by playing with your fathers brand new ...
      (alt.os.linux)